Re: Protecting Java Class Files...

[Lincoln Yeoh <lyeoh () POP JARING MY>]

At 09:21 AM 28-09-2000 +0100, SMILER wrote:
>   My customers are running some online games that  gives points to the
> pplayers if they win, and the points can be exchanged by  prices later on.
> What I pretented to do is to protect their java  class files as they can´t
> be easily decompiled, and I am sure there must be some  ways to do this.
> Any suggestions ? Smiler.   

It doesn't sound easy to do. I'm wondering why you are sure there are ways
to do it ;).

My normal assumption is the client has full control over whatever they can
download and run. So if there are any secrets in your programs they will
eventually be found. At the moment I don't think you can stop people from
decompiling your stuff if you want to allow them to run it on their own
machines.

I suggest setting things up so that decompilation of your client isn't an
issue. 

1) Move as much as you can server side. The server should be under your
control. And game reality should be under the server's control. The clients
can only _suggest_ to the server what to do, the server decides whether
it's possible. The clients must NEVER be able to define reality. They can
only suggest changes to the reality but not define it. If the clients can
define reality, it is likely that they can cheat. 

For example if the points are stored in the client side, then they can
cheat (unless the server digitally signs the scores/points/scorecard - but
you better think the implementation through thoroughly!). If the program
running at client side decides whether the user wins, then they can cheat.
But if the server decides who wins and keeps track of the points then it's
harder to cheat.

A harder issue: for many online games the clients know what everyone else
in a game is doing, even if players aren't supposed to know. Because for
some games (3d) it is too difficult for the server to know when not to tell
the clients certain things. So you get things like players being able to
see through walls and so on. 

However for card games you can prevent that from happening and you better
do it! 

2) Identify players uniquely - then it's easier to tell who is cheating.
e.g. a hard to guess session cookie is sent with each request and verified
by the server for validity. This can be quite resource intensive. If
possible you should increase the cost of creating accounts - either in time
or money - so that you don't get mischief makers creating tons of throwaway
accounts.

3) Dealing with mischief makers. You should be able to blacklist/ban
players if they abuse the system. Preferably automatically. So they get
ignored if they try to make 1000 connections to your servers or do other
silly stuff. Sometimes people react badly if they lose. And sometimes
people just want to cause trouble.

There are many other things to think of and do. I'm sure other people have
good suggestions. Take a look at them and spend a few days to think of
other things based on what you learn.

Cheerio,
Link.